Firewalling Internal Servers (DHCP,DNS,DC,etc.)

M

MySongRanHills

Limp Gawd
Joined
May 27, 2011
Messages
237
Right now I'm working on my home lab, but my question applies to best practices in general for business/corporate networks.

I know DCs should be restricted from the internet and why, but I'm wondering how this works in the real world.

I don't think you would just block WAN traffic to all servers/services on the management VLAN b/c these need to be able to access security updates. Maybe if only connections are allowed to the update servers/repos, etc?
 
you would have a WSUS or another patch server that you manage to download updates and distribute those to your servers/workstations.
 
tonyyy said:
you would have a WSUS or another patch server that you manage to download updates and distribute those to your servers/workstations.
Click to expand...

Thanks! I have heard of patch servers, but never game it much thought as to use/function.
After googling up on WSUS, it seems the proper practice is to set up a server for the WSUS role and than us GP to configure clients to grab updates. Seems simple enough.

So is this how it is usually done? Completly cut off from WAN-updates from WSUS?

What about for linux servers?
 
Why would you not block WAN traffic to your internal servers? Why does someone outside of your network need to access your Domain Controller, or your SQL server, or whatever?

Machines inside your network should access your Domain Controllers.
 
Your question is a bit confusing/unclear. Can you clarify if you're talking about allowing internet traffic OUT from your servers? Or IN to your servers from the internet?

I don't believe a single company I work with restricts internet access FROM their servers. They do all have firewalls and use private IP addresses so only specifically configured NAT pinholes allow traffic IN from the internet to the servers where required (Webservers etc).
 
ianshot said:
Why would you not block WAN traffic to your internal servers? Why does someone outside of your network need to access your Domain Controller, or your SQL server, or whatever?

Machines inside your network should access your Domain Controllers.
Click to expand...

What if your WAN covers multiple sites and each site has it's own internal servers that other sites need to access?

Blocking most incoming and outgoing internet traffic, yes, but not WAN traffic.
 
ltickett said:
Your question is a bit confusing/unclear. Can you clarify if you're talking about allowing internet traffic OUT from your servers? Or IN to your servers from the internet?

I don't believe a single company I work with restricts internet access FROM their servers. They do all have firewalls and use private IP addresses so only specifically configured NAT pinholes allow traffic IN from the internet to the servers where required (Webservers etc).
Click to expand...
I've worked at a lot of places which restrict outgoing traffic from all internal vlans, only allowing through what's required and proxying the rest.
 
cyclone3d said:
What if your WAN covers multiple sites and each site has it's own internal servers that other sites need to access?

Blocking most incoming and outgoing internet traffic, yes, but not WAN traffic.
Click to expand...

If your WAN covers mutiple sites then you are going to either be using MPLS to connect them or maybe VPN depending.

So everything inside is still firewalled off from the world and the only way you are talking to internal servers is via internal links (VPN or MPLS).
 
ltickett said:
Your question is a bit confusing/unclear. Can you clarify if you're talking about allowing internet traffic OUT from your servers? Or IN to your servers from the internet?
Click to expand...

To be honest - I've always been a bit unclear on this and maybe some one can explain it to me, but it seems if say I was to block all vlan 5 from accessing the WAN int and something on the other end of the WAN tries to establish a connection send a ping, etc. even if that traffic gets through to vlan 5 - vlan 5 is restricted from responding so access is effectively blocked both ways or no?

For internal servers/services I'd always read to "block internet access"
, which seemed vague and made me wonder about earlier question regarding patches/updates.
 
Normally everything would be behind a NAT and incoming traffic blocked by default unless you forward a port. Outgoing connections on the other hand don't have to be blocked. Or at least, you can still allow the ones you want like connecting to MS update servers if not using WSUS.

For multi site you would normally use VPN tunnels or leased WAN links to link the networks together. Rarely do you have to allow direct connections to inside the network, unless it's running web servers or stuff like that, but you'd probably want that on a separate vlan.
 
You must log in or register to reply here.
Back
Top